Law Investigation, Forensics, and Ethics ◾ 399
© 2011 by Taylor & Francis Group, LLC
N Avoid conicts of interest or the appearance thereof.
N Render only those services for which you are fully competent and qualied.
Advance and protect the profession:
N Sponsor for professional advancement those best qualied. All other
things equal, prefer those who are certied and who adhere to these can-
ons. Avoid professional association with those whose practices or reputa-
tion might diminish the profession.
N Take care not to injure the reputation of other professionals through mal-
ice or indierence.
N Maintain your competence; keep your skills and knowledge current.
N Give generously of your time and knowledge in training others.
Interpreting Policy as a Security Professional—Ethics
Assessing policy can often require the evaluation of ethical principles. Policies
dictate how the organization will operate. is covers operational aspects such as
awareness, employee monitoring, and how issues such as software piracy will be
handled. ese all require the development of an ethical organizational culture.
e security posture or the aspects of corporate culture that cover security are,
for the most part, signicant when attempting to develop, implement, or enforce
security policy. Corporate culture always exists, whether it is intentionally cultivated
or it develops organically. Senior management can attempt to shape corporate cul-
ture by imposing corporate values and standards of behavior that specically reect
the objectives of the organization; however, the extant internal culture within the
workforce can subvert this process.
A conscious eort to establish a culture that embraces security should be based
on a process of communicating the message through the following:
◾ Vision statements
◾ Mission statements
◾ Doctrine or core values
◾ Frequent internal writings on related topics
◾ Awareness sessions
e key to establishing values is frequent, consistent, and repeated communications.
No organization is homogeneous. Within an organization, divisions will also
have their own cultures and hence dierent security postures. To be successful
developing, implementing, and enforcing security policy, a leader needs to be sensi-
tive to the character of the departments as well as the overall organization.
Assessing the security posture and implementation of a culture of security requires
looking for evidence of senior management’s involvement in the cultural engineer-
ing exercise. Does the organization even have a security mission statement?
400 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
The 10 Commandments of IT Security
e following is an example of a code of ethics suggested by the Computer Ethics
Institute (Washington, DC, USA).
1. ou shalt not use a computer to harm other people.
2. ou shalt not interfere with other people’s computer work.
3. ou shalt not snoop around in other people’s computer les.
4. ou shalt not use a computer to steal.
5. ou shalt not use a computer to bear false witness.
6. ou shalt not copy or use proprietary software for which you have not paid.
7. ou shalt not use other people’s computer resources without authorization
or proper compensation.
8. ou shalt not appropriate other people’s intellectual output.
9. ou shalt think about the social consequences of the program you are writ-
ing or the system you are designing.
10. ou shalt always use a computer in ways that insure consideration and
respect for your fellow human beings.
Hacker Code of Ethics
Statements are made by many who like to call themselves hackers saying how they
will limit damage, not create loss, and generally that they make systems better by
exploring. Ethical hacking without authorization is still illegal, and social engineer-
ing is considered to be an act of fraud.
Former Attorney General Janet Reno started a public-private alliance to restrain
Internet crime through teaching children “that hacking is the same as breaking
and entering.”
Human Resource Issues
Human resource (HR) departments have a crucial role to play in regard to the secu-
rity of an organization. e human resources department needs to be involved with
the organization’s security to decrease the risks associated with the following:
◾ Human error, theft, fraud, or misuse of facilities
◾ Users who are unaware of information security threats and concerns, and are
not equipped to support the corporate security policy in the course of their
normal work
◾ Minimizing the damage from security incidents and malfunctions and learn-
ing from such incidents
Some of the key areas needed within an organization that should be fullled by
HR are as follows:
Law Investigation, Forensics, and Ethics ◾ 401
© 2011 by Taylor & Francis Group, LLC
◾ Ensuring that “Terms and Conditions of Employment—Employment Letters/
Contracts” have been issued and cover the security requirements of an
organization.
◾ Ensure that Employee Condential Information Undertaking documents
have been completed.
◾ Create and issue policies on Intellectual Property Rights and ensure that an
Employee Undertaking document has been signed.
◾ Create and enforce policies on privacy issues such as Sharing Employee
Information.
◾ Creating and conducting Induction Training.
◾ Suggested Disciplinary Process for management.
◾ Ensuring that a Grievance Procedure exists.
◾ Conducting Exit Interviews for sta leaving the organization.
◾ Checking Information Security Clearance Levels where needed.
All of these issues help to reduce risk and increase the levels of professional
standards and ethics that are applied within an organization.
Compliance with Legal Requirements
To avoid breaches of any statutory, criminal, or civil obligations and of any security
requirements, the design, operation, and use of IT systems may be subject to statu-
tory and contractual security requirements. Legal compliance is a detailed topic
and is specic to both locality and industry. It has become a major driver for infor-
mation technology investments. “Compliance” in the true sense of the word entails
a legal requirement or a standard for context.
It is important that the organization’s security administrator is familiar with
the pertinent legal standards and requirements for his or her location and industry.
Compliance issues demand that organizations look beyond the hype of current laws
and regulations to address topics such as corporate governance, privacy, encryption
laws, signature laws, and critical infrastructure requirements simultaneously.
International organizations must understand the legal requirements of various
jurisdictions, including the similarities and conicts among them. ey also need
to address the ethical concerns that are commonly dierent across cultures.
A failure to understand the broader context of applicable legal and ethical
requirements could result in multiple problems. Conicts among the ethical and
legal issues that apply in dierent countries may become apparent from a lack of
understanding regarding the dierences in various jurisdictions. is is likely to
result in compliance failures or in overcompliance as well as a number of ethical
breaches. Any of these issues is likely to cost an organization in the end.
402 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Questions
FAQs
Q: What do I need to do if I want to commence legal action for corporate espionage?
A: To successfully prosecute corporate espionage, it is necessary to prove that the
information has value. is can be a monetary value, a hidden value, or an eco-
nomic advantage to an adversary/competitor. You also need to demonstrate that
the information was protected and properly marked for protection, that policies
and procedures were in place, and that awareness training was instituted.
Q: Why shouldn’t I use passive voice when writing my reports?
A: “e author wrote the words in his diary” employs active voice. “e words in
the diary were written by the author” illustrates passive voice. When writing
a report, avoid any form of the verb to be, such as is, are, was, and were. Read
your writing aloud; you’ll nd that passive voice can lead you to lapse into a
sing-song schoolchild reading his “what I did last summer” essay out loud. It
is much more dicult to take passive voice seriously.
Q: What is considered public domain?
A: Like all things, copyright protection eventually ends; it is only a “limited
monopoly.” When copyrights expire, they fall into the public domain. With
a number of exceptions, public domain works may be unreservedly copied or
used in the production of derivative works without either the permission or
the authorization of the former copyright holder. At some stage in the Clinton
administration, the contentious Sonny Bono Copyright Term Extension Act
(CTEA) passed into law. is Act added 20 years to most copyright terms. It
also created a moratorium that, in eect, stops any new works from entering
the public domain until 2019. e bill was enacted to ensure protection for
U.S. works in the foreign market.
Q: What is wrong with using acronyms in my reports?
A: ree-letter acronyms (TLAs) are the bane of all good reports. Acronyms
often conict within similar spheres. However, when you take a range of dif-
ferent occupations and knowledge elds, people start to read dierent mean-
ing into this technical jargon. e result is that the report is less clear to the
average reader.
Q: I work for an ISP in the United States and have discovered child pornography on
a Web site we host. What should I do?
A: Under the Protection of Children from Sexual Predators Act of 1998 (Sexual
Predators Act), ISPs are required to notify law enforcement of Web sites con-
taining child pornography on their server(s). Failing to report it could mean
that the ISP will be ned.
Law Investigation, Forensics, and Ethics ◾ 403
© 2011 by Taylor & Francis Group, LLC
Review Questions
1. Under the Electronic Communications Privacy Act, the expression “elec-
tronic communications” does NOT incorporate which of the following?
I. Tone-only paging devices
II. Electronic funds transfer information
III. Tracking devices
IV. Wire or oral communications
a. I, II, III, and IV
b. I
c. I and II
d. I and III
2. e Digital Millennium Copyright Act (DMCA) has specic provisions
designed to legislate against and thus aid in preventing what type of action?
a. Circumvention of technologies used to protect copyrighted work
b. Creation of malicious code
c. Digital manipulation or alteration of copyrighted computer code
d. Digital reproduction of copyrighted documents and artwork
3. What questions are asked when deciding the outcome of a U.S. federal trade-
mark dilution case?
a. When was the mark created?
b. How distinctive is the mark?
c. Who owns the mark?
d. How unique and recognized is the mark?
4. To sue for copyright infringement in the United States, what is the rst step
that a copyright holder must take?
a. No action is necessary, as copyright attaches as a right of the author as
soon as the work is created.
b. Register a copyright application with the Copyright Oce of the Library
of Congress.
c. Formally publish the work.
d. Put the alleged infringer on notice that you intend to bring an action.
5. e judge in a civil court case can issue an order allowing for a civil search of
another party’s goods and to seize specic evidence. is order is known as a(n)
a. Subpoena
b. Doctrine of Exigent Circumstances
c. Anton Piller Order
d. Search warrant
6. Your company has a policy prohibiting pornography on company equipment,
and an employee has become aware of a network user who has an image of a
nude child on his computer. When you investigate the matter, you nd that
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.